Introduction to Remote Control Protocol analyzer through firewalls

When an intranet is connected to the Internet, it is possible to have a physical connection with 50,000 of unknown networks and users, opening these connections to use a wide variety of applications and shared information, although most of the content is certainly not shared with the outside world, and the Internet provides a vast space for hackers to steal information and disrupt the network So security becomes a concern for connecting to the Internet.

Why use a firewall

Firewalls are a security mechanism that restricts outside users ' access to their networks via the Internet, and is a set of rules for filtering packets that allow the desired data to be passed to prevent unwanted traffic. Most firewalls check the information in the packet based on the Access Control List (ACL) and Pipeline (Conduit), and then forward the packet by the appropriate configuration.

(Translator Note: A pipe is a virtual circuit through a firewall that allows an external machine to initiate a connection to the internal machine.) Each pipeline is a potential threat, so the use of it must be limited to the security policy and business requirements. If possible, the remote source address, local destination address, and protocol can be restricted. ACLs are a way of filtering packets in a network device, such as a router or switch, through a series of permit,deny statements. In order to reduce the required access, the access list should be carefully configured. If possible, you should impose more restrictions on access lists with remote source addresses, local destination addresses, and protocols. ）

If the Access Control List (ACL) and pipe (Conduit) requirements are not matched, the firewall discards the packets. Access control lists (ACLs) and pipelines (Conduit) define the frames that meet the requirements, which must meet the rules that the network can accept. Meet the conditions that can be general settings, can also be set very specific. For example, a typical pipe in a firewall allows all traffic in the network to pass without restricting any source and destination hosts. When specially configured, the pipe only allows the host with IP address as 45.30.155.30 to communicate with the host in the internal network with the IP address as 10.17.2.30 through the UDP 161 port. As a result, only SNMP traffic between the two hosts can pass through the firewall.

How to configure a firewall to achieve remote access

Remote access to the OptiView Protocol Analyzer through a firewall several things to note. The administrator will add one or two configuration statements to the firewall, unless all applications to the firewall are open.

First, the OptiView Protocol Analyzer requires a common IP address. When a private address is used on the internal network, many network administrators use the network address translation (NAT) method to convert a network that uses thousands of private addresses to one or several public addresses. The role of network address translation (NAT) is to convert the host address on the internal interface to the global address associated with the external interface, thus preventing the host address from being exposed to other network interfaces. If you choose to use NAT to protect the internal host address, you should first determine a set of address segments for conversion.

(Translator note: For internal systems, NAT can transform the source IP address of packets that are transferred externally.) It supports both dynamic and static transformations. NAT allows you to assign a private address to an internal system, or to leave an existing invalid address. NAT also improves security because it hides the real network identity of the internal system from the external network. ）

When NAT is used, the OptiView Protocol Analyzer requires a static NAT table. If NAT is used dynamically, the actual address is from a specified address segment so that the internal host does not get an identical external address at a time. The OptiView Protocol Analyzer obtains a fixed address from the address mapping table, and this fixed address allows the outside host to access it. If NAT is not used, then the OptiView Protocol Analyzer works with the current address. Once the OptiView protocol Analyzer is identified by a static NAT table, some configuration of the firewall is required, and if the OptiView Protocol Analyzer allows remote users to access the Web, the HTTP service will be allowed.

Figure 1:optiview Protocol Analyzer address in the Internet is 45.30.1.1